Re: Prevent security bypass

[Alex Russell <alex () netWindows org>]

On Thursday 06 February 2003 08:49, TUER, DON wrote:
> Number one recommendation is to upgrade to ASP.NET. It has build in form
> authentication and can secure pages at any level.

I'm having a hard time buying this argument, mainly because .NET is entirely 
new code. I don't care what kind of religion Redmond says it's found, the 
proof is in the pudding, and the pudding is stilling telling us that it 
takes at least 3 releases for MS to get to anything approaching 
functionally secure. The development community at large has been bitten 
enough times that we should, frankly, know better.

Anyone doing code audits will tell you that if you want to find problems 
with some code, you look at the newest code first. So to get some level of 
protection from a now standard feature, you are suggesting introducing an 
entirely new level of complexity and a set of technologies he/she is even 
less likely to understand than the tools he/she is already using? Seems the 
tradeoff there isn't very good from a security standpoint.

If the poster isn't already tied to .NET, having them move to an immense new 
chunk of beta-quality code seems like a dubious suggestion, IMO.

-- 
Alex Russell
alex () netWindows org
alex () SecurePipe com